On Thu, Mar 03, 2016 at 12:04:11PM +0100, Karol Babioch wrote:
> Hi,
>
> in my old iptables setup I've used something like this in the FORWARD
> chain to allow traffic that has been redirected through DNAT beforehand
> (i.e. in the NAT PREROUTING table).
>
> iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
>
> This way I don't have to specify rules twice, which is not only a
> massive overhead, but also prone to errors. Apparently nftables does not
> know anything about the "DNAT" and "SNAT" states.
>
> Is there a way to simulate something like this? Marking all packages
> that are redirected using DNAT in the nat table, and allowing all marked
> packages through in the forwarding chain, should work, shouldn't it? Is
> this in any way different to the iptables approach?
I think:
nft add rule filter forward ct status dnat accept
should do the trick for you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
